This is the fourth and final post in my series on the NSA Codebreaker Challenge
2015, covering the fourth task of the challenge. If you haven't read them, you might
want to check out the posts on Task 1, Task 2, and Task 3.

Task 4

A military organization has inquired as to whether it would be possible to
spoof messages to the terrorists, making the messages appear to come from the
terror group's leadership. This capability would be a game-changer in their
efforts to disrupt and disband the organization. Program binaries and keys have
already been distributed throughout the terrorist organization, though, so
achieving this effect must be done only by modifying the message file. Your
mission is to investigate whether this is possible and, if so, provide a
message file that would spoof the following message while making it appear as
though it came from the leadership. The message will be sent to the same
high-ranking member that the message from Task 1 was originally sent to.
The message to encode is, "SENSITIVE MESSAGE: Leadership has arranged a meeting
with the local authorities to discuss partnering opportunities. As a
high-ranking member in our organization, your attendance is requested. Meet at
the city police station at 18:00. Be discreet, and come unarmed as to not draw
attention. Mention the pass code cpspxahyvss2s5101lho at the front desk to be
escorted in.". Use the template file from Task 3 to encode this message into.

Since it wasn't possible to rely on a modified binary or keys, the only
hope was to find a vulnerability in the existing binary that I could exploit
to override the signature verification. Fortunately, after some time digging
through the disassembly and following execution in gdb, I found just such
a vulnerability.

Due to a bug in the program's bounds checking, it was possible to overwrite the
result of the signature verification, and cause the verification to succeed
for arbitrary signatures.

On a successful call to RSA_verify, the program would store the value
0x72d499eb at a specific stack offset, as shown below.

Later, the program would copy the signature to a buffer located exactly 128 bytes
before the location where the verification result was stored. Normally this
would cause no problem, particularly since a bounds-checking version of
memcpy was used. However, in this case the destination buffer size was
incorrectly specified as 132 bytes (0x84) as shown below.

Since the length of the data copied was based on the size of the signature
read, simply appending 4 additional bytes to the signature would cause the
results of the signature verification stored on the stack to be overwritten
with the chosen value. In this case, the value that needed to be appended
was 0x72d499eb.

Note that since the value would be written directly to the stack, it needed
to be in little-endian byte order to work on x86 systems.

Once the encoder was modified, it was just a matter of encoding the message
and testing the message with the binary and key from Task 1

user@host:~/nsa_codebreaker_2015/task_4$ ./encode tier3_private.pem message_in.txt tier3_template.txt > secret-message.txt
user@host:~/nsa_codebreaker_2015/task_4$ ../task_1/secret-messenger --reveal --symbol ../task_1/tier1_key.pem --action secret-message.txt
*****SIGNATURE IS VALID*****
Message: SENSITIVE MESSAGE: Leadership has arranged a meeting with the local authorities to discuss partnering opportunities. As a high-ranking member in our organization, your attendance is requested. Meet at the city police station at 18:00. Be discreet, and come unarmed as to not draw attention. Mention the pass code cpspxahyvss2s5101lho at the front desk to be escorted in.
*****SIGNATURE IS VALID*****

This completed Task 4 and the challenge.

Closing Thoughts

This challenge was difficult, but quite fun. Task 3 in particular really
pushed me out of my comfort zone. However, it was great practice, and an
awesome experience. I'm looking forward to doing more of this in the future.